add role migration tests without Endpoint product line

2025-06-27 18:51:07 -04:00 · 2025-06-20 02:59:15 +02:00 · 2025-06-20 02:59:15 +02:00 · 309abb30a8
commit 309abb30a8
parent 1c31f56b43
4 changed files with 143 additions and 0 deletions
--- a/.buildkite/ftr_security_stateful_configs.yml
+++ b/.buildkite/ftr_security_stateful_configs.yml
@ -101,6 +101,7 @@ enabled:
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/policy/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/response_actions/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/configs/ess.config.ts
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts
@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/serverless/config.base.edr_workflows')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    kbnTestServer: {
+      ...functionalConfig.get('kbnTestServer'),
+      serverArgs: [
+        ...functionalConfig.get('kbnTestServer.serverArgs'),
+
+        `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
+          { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
+        ])}`,
+      ],
+    },
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - search AI lake tier',
+    },
+  };
+}
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts
@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows';
+
+export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) {
+  describe('Endpoint related user role migrations without Endpoint product line', function () {
+    loadTestFile(require.resolve('./siem_v3_global_artifact_management'));
+  });
+}
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts
@ -0,0 +1,97 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common';
+import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+
+  const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2'];
+
+  const ROLE_NAME = 'siem_v3_test_role';
+
+  const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) =>
+    supertest
+      .put(`/api/security/role/${ROLE_NAME}`)
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .send({
+        elasticsearch: { cluster: [], indices: [], run_as: [] },
+        kibana: [
+          {
+            base: [],
+            feature: {
+              [feature]: privileges,
+            },
+            spaces: ['*'],
+          },
+        ],
+      })
+      .expect(204);
+
+  const getMigratedSiemFeaturesFromRole = async (): Promise<FeaturesPrivileges[string]> => {
+    const response = await supertest
+      .get(`/api/security/role/${ROLE_NAME}`)
+      .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .expect(200);
+
+    const role = response.body as Role;
+    expect(role._transform_error).to.have.length(
+      0,
+      `Role migration encountered an error, probably a non-existing privilege is added.
+      Transform error: ${JSON.stringify(role._transform_error)}`
+    );
+
+    // migrating from `siem` adds timeline and notes, but in this test it is irrelevant
+    return role.kibana[0].feature.siemV3;
+  };
+
+  describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => {
+    afterEach(async () => {
+      await supertest
+        .delete(`/api/security/role/${ROLE_NAME}`)
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+        .expect([204, 404]);
+    });
+
+    for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) {
+      describe(`from ${deprecatedSiem}`, () => {
+        const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem);
+
+        it(`should keep ${deprecatedSiem}:READ privilege`, async () => {
+          await putDeprecatedSiemPrivilegesInRole(['read']);
+
+          expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']);
+        });
+
+        it(`should keep ${deprecatedSiem}:MINIMAL_READ privilege`, async () => {
+          await putDeprecatedSiemPrivilegesInRole(['minimal_read']);
+
+          expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']);
+        });
+
+        it(`should keep ${deprecatedSiem}:ALL privilege`, async () => {
+          await putDeprecatedSiemPrivilegesInRole(['all']);
+
+          expect(await getMigratedSiemFeaturesFromRole()).to.eql(['all']);
+        });
+
+        it(`should keep ${deprecatedSiem}:MINIMAL_ALL privilege`, async () => {
+          await putDeprecatedSiemPrivilegesInRole(['minimal_all']);
+
+          expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']);
+        });
+      });
+    }
+  });
+}